-
-
Save LanYunDev/0d9c5e9b9614579ad495788bdcbef2b3 to your computer and use it in GitHub Desktop.
安全🔐 高性能 的 Sysctl 配置
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
### 内核调整 ### | |
# 增加文件句柄和索引节点缓存的大小 | |
fs.file-max = 2097152 | |
# 减少交换 | |
vm.swappiness = 10 | |
vm.dirty_ratio = 60 | |
vm.dirty_background_ratio = 2 | |
# 设置内核考虑将进程迁移到另一个内核之前的时间 | |
kernel.sched_migration_cost_ns = 5000000 | |
# 按 TTY 对任务进行分组 | |
#kernel.sched_autogroup_enabled = 0 | |
### 一般网络安全选项### | |
# 被动 TCP 连接的 SYNACK 次数。 | |
net.ipv4.tcp_synack_retries = 2 | |
# 允许的本地端口范围 | |
net.ipv4.ip_local_port_range = 2000 65535 # 30000 65535 | |
# 防止 TCP 时间等待 | |
net.ipv4.tcp_rfc1337 = 1 | |
# 控制 Syncookies | |
net.ipv4.tcp_syncookies = 1 | |
# 减少 tcp_fin_timeout 连接的时间默认值 | |
net.ipv4.tcp_fin_timeout = 10 # 15 | |
# 减少连接保持活动的时间默认值 | |
net.ipv4.tcp_keepalive_time = 300 | |
net.ipv4.tcp_keepalive_probes = 5 | |
net.ipv4.tcp_keepalive_intvl = 15 | |
### 调整网络性能### | |
# 默认套接字接收缓冲区 | |
net.core.rmem_default = 31457280 | |
# 最大套接字接收缓冲区 | |
net.core.rmem_max = 33554432 | |
# 默认套接字发送缓冲区 | |
net.core.wmem_default = 31457280 | |
# 最大套接字发送缓冲区 | |
net.core.wmem_max = 33554432 | |
# 增加传入连接数 | |
net.core.somaxconn = 65535 # 250000 | |
# 增加积压的传入连接数 | |
net.core.netdev_max_backlog = 65535 # 250000 | |
# 增加选项内存缓冲区的最大数量 | |
net.core.optmem_max = 25165824 | |
# 增加可分配的最大总缓冲区空间 | |
# 这是以页(4096 字节)为单位测量的 | |
net.ipv4.tcp_mem = 786432 1048576 16777216 | |
net.ipv4.udp_mem = 65536 131072 262144 | |
# 增加可分配的读缓冲区空间 | |
net.ipv4.tcp_rmem = 8192 87380 33554432 | |
net.ipv4.udp_rmem_min = 16384 | |
# 增加可分配的写入缓冲区空间 | |
net.ipv4.tcp_wmem = 8192 65536 33554432 | |
net.ipv4.udp_wmem_min = 16384 | |
# 增加 tcp-time-wait 桶池大小以防止简单的 DOS 攻击 | |
net.ipv4.tcp_max_tw_buckets = 2000000 # 1440000 | |
#net.ipv4.tcp_tw_recycle = 1 | |
net.ipv4.tcp_tw_reuse = 1 | |
net.ipv4.tcp_rfc1337 = 1 | |
# 半连接队列的最大大小 | |
net.ipv4.tcp_max_syn_backlog = 8192 | |
# 启用 TCP 低延迟模式 | |
net.ipv4.tcp_low_latency = 1 | |
# 启用 TCP 快速打开 | |
net.ipv4.tcp_fastopen = 3 | |
# 启用 MTU 探测 | |
net.ipv4.tcp_mtu_probing = 1 | |
# bbr | |
# 需先加载模块: modprobe tcp_bbr | |
net.core.default_qdisc = cake | |
net.ipv4.tcp_congestion_control = bbr | |
# 提高安全性 | |
# 反向路径过滤 | |
net.ipv4.conf.default.rp_filter = 1 | |
net.ipv4.conf.all.rp_filter = 1 | |
# ICMP | |
# 不应发送 IPv4 ICMP 重定向,除非它充当路由器 | |
net.ipv4.conf.default.accept_redirects = 0 | |
net.ipv4.conf.all.accept_redirects = 0 | |
net.ipv6.conf.default.accept_redirects = 0 | |
net.ipv6.conf.all.accept_redirects = 0 | |
net.ipv4.conf.default.secure_redirects = 0 | |
net.ipv4.conf.all.secure_redirects = 0 | |
# 在非路由器上禁用 ICMP 重定向发送 | |
net.ipv4.conf.all.send_redirects = 0 | |
net.ipv4.conf.default.send_redirects = 0 | |
# IP转发 | |
# IP 转发只能在充当路由器的系统上启用 | |
#net.ipv4.ip_forward = 0 | |
#net.ipv6.conf.all.forwarding = 0 | |
#net.ipv6.conf.default.forwarding = 0 | |
# 禁用 ICMP 回显(又名 ping)请求 | |
net.ipv4.icmp_echo_ignore_all = 1 | |
net.ipv6.icmp.echo_ignore_all = 1 | |
# 警告: 这可能会导致依赖 ICMP 回显响应的监控工具和/或应用程序出现问题 | |
# 更多可参考: https://wiki.archlinux.org/title/sysctl |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
arch Linux
路径: /etc/sysctl.d/custom.conf
官方文档: https://wiki.archlinuxcn.org/wiki/Sysctl